Microsoft Introduced Layered Group Policy to Protect Corporate-owned Devices

by

Microsoft introduced the ability to apply layered group policy for all versions of Windows 10. This feature allows IT admins to control and visibility with corporate-owned devices in their organization. It helps you to decide which internal or external devices can be installed on machines across your organization and which are prohibited. The ability to apply layered Group Policy will also support Windows Server 2022 and Windows 11.

Device installation policies are used to restrict the installation of any device, both internal and external, to all machines across an organization while allowing a small set of pre-authorized devices to be used/installed. Every device has a set of ‘device identifiers’ that the system understands (class, device ID, and instance ID).

The allow list, written by the system admin, contains sets of identifiers that represent different devices – this way, a system understands which device is allowed and which is blocked.

According to Microsoft, Applying layered Group Policy will be made more broadly available beginning in the August 2021 Update Tuesday release. The Windows Server release will follow thereafter.

Benefits of Controlling Device Installation Using Group Policy

It helps to restrict the devices by reducing the risk of data theft and reduces the cost of support –

  • Reduce the risk of data theft – It is more difficult for users to make unauthorized copies of company data if users’ computers cannot install unapproved devices that support removable media.
  • Reduce support costs – You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion.

Overview

Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings to specify which identifiers to allow or block. The four types of identifiers are:

  • Device Instance ID – A device instance ID is a system-supplied device identification string that uniquely identifies a device in the system. 
  • Device ID – Windows can use each string to match a device to a driver package. The strings range from the specific, matching a single make and model of a device, to the general, possibly applying to an entire class of devices. There are two types of device identification strings: hardware IDs and compatible IDs.
  • Device setup classes – Device setup classes (also known as Class) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device’s device setup classe.
  • Removable Devices device type – A device is considered removable when the driver for the device to which it is connected indicates that the device is removable.
Device Installation policies flow chart | Credit - Microsoft | Microsoft Introduced Layered Group Policy
Device Installation policies flow chart | Credit – Microsoft

Apply Layered Group Policy Overview

Adding the new apply layered Group Policy to the existing device installation policies improves intuitive usage and flexibility as follows:

  • Intuitive usage: The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin.
  • Flexibility: The hierarchical order of evaluation for policy settings that specify device match criteria is as follows : Device instance IDs > Device IDs > Device setup class > Removable devices

Here’s how you can access policies –

  • To Open Group Policy Object Editor, click the Start button, type gpedit.msc in the Search box, and then press Enter Or type Group Policy Editor in the Windows search and open.
  • Navigate to the following Device Installation Restriction page –

Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

  • Open the Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria policy.
Microsoft Introduced Layered Group Policy Introducing the ability to apply layered Group Policy
Microsoft Introduced Layered Group Policy

Once you enable it, this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.

Microsoft Introduced Layered Group Policy
Microsoft Introduced Layered Group Policy

👋You can explore more about the device installation process and several techniques for controlling device installation using Group Policy in Microsoft Docs.

Resources

Leave a Comment